Author: András Jóri 

(7) ‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

I. Preliminary remarks

Controller, defined in Art. 4 (7) of the GDPR, is arguably the most important actor in data protection law. Various language versions emphasize different attributes of this actor: it is in “control”, determining the purposes and means of processing, and it also bears legal responsibility for the processing (“Verantwortlicher” in the German definition). Identifying the controller, distinguishing between controller and processor, and establishing whether the controller carry out its activities in the context of individual or joint controllership are the most important tasks in many cases of applying data protection law. According to the EDPB, the concept of controller (along with those of joint controller and processor) is a functional concept aiming to allocate responsibilities as well as an autonomous concept, to be interpreted in the context of data protection law. In the view of the Board, the concept of controller plays a role in ensuring “accountability and the effective and comprehensive protection of the personal data”. In many cases, the controller is actually processing data on its own behalf; however, this is not a necessary element of controllership. If the elements of control and responsibility are present, an actor might qualify as controller without even having access to the data, with the actual “processing” of the data carried out by a processor on behalf of it (→ mn. 14 and Art. 4 (8)).

II. Legislative history

Art. 2 (d) DPD defined controller in an almost identical way as the GDPR does, with minor stylistic differences. Notably, the Comm-P proposed to include the text “purposes, conditions and means” instead of “purposes and means”, but eventually the wording of the DPD was adopted by the legislator. The GDPR did not bring new developments regarding the definition itself but contains more detailed regulation of joint controllership (→ Art. 26) and other, sometimes newly regulated actors of data protection law (see “group of undertakings”, Art. 4 (19)).

III. Analysis
1. “Natural or legal person, public authority, agency or other body”

The list of persons that can act as data controllers reflects a wide group of persons and bodies. According to the EDPB, “(i)n principle, there is no limitation as to the type of entity that may assume the role of a controller” – note, however, the use of the term “entity” in the wording of the Board.

Legal personality is in many cases determined by Member State law: authorities, agencies or other bodies in most cases will likely hold legal personality, while other bodies, undertakings and so forth might operate without qualifying as legal persons. In such cases, “other body” might cover these actors. Defining what construed as a “body” is, thus, crucial to determine the scope of actors that can act like processors. Note that the term “body” is also used by the legislator in Art. 9 para. 1 lit. d of the Regulation.

According to the EDPB, not only individuals, but a group of individuals can also act as controllers. In the referred case of the CJEU though a group of individuals – together with their church – acted as joint controllers; the question remains whether a group of individuals can act as an individual controller or not. While we find it theoretically possible, according to a relevant Member State court decision, such group – an informal group of persons lacking legal personality – is not considered as a “body” and might not qualify as one controller of personal data. Such a scenario might also raise questions regarding liability, an issue that is addressed by Art. 82 para. 4 of the GDPR if the actors are joint controllers. Therefore, we advise to use the model of joint controllership in such cases.

[…]